Registry remotley hacked win 7 need help tracking the perp

Posted by user577229 on Server Fault See other posts from Server Fault or by user577229
Published on 2011-01-16T03:28:33Z Indexed on 2011/01/16 5:56 UTC
Read the original article Hit count: 314

I was writing some .VBS code at thhe office that would allow certain file extensions to be downloaded without a warning dialog on a w7x32 system.

The system I was writing this on is in a lab on a segmented subnet. All web access is via a proxy server. The only means of accessing my machine is via the internet or from within the labs MSFT AD domain.

While writing and testing my code I found a message of sorts. Upon refresing the registry to verify my code changed a dword, instead the message HELLO was written and visible in regedit where the dword value wass called for.

I took a screen shot and proceeded to edit my code. This same weird behavior occurred last time I was writing registry code except on another internal server.

I understand that remote registry access exists for windows systems. I will block this immediately once I return to the office.

What I want to know is, can I trace who made this connection? How would I do this?

I suspect the cause of this is the cause of other "odd" behaviors I'm experiencing at work such as losing control of my input director master control for over an hour and unchanged code that all of a sudden fails for no logical region.

These failures occur at funny times, whenver I'm about to give a demonstration of my test code. I know this sounds crazy however knowledge of the registry component makes this believable. Once the registry can be accessed, the entire system is compromised.

Any help or sanity checking is appreciated.

© Server Fault or respective owner

Registry remotley hacked win 7 need help tracking the perp

Posted by user577229 on Stack Overflow See other posts from Stack Overflow or by user577229
Published on 2011-01-16T03:28:33Z Indexed on 2011/01/16 3:54 UTC
Read the original article Hit count: 314

I was writing some .VBS code at thhe office that would allow certain file extensions to be downloaded without a warning dialog on a w7x32 system.

The system I was writing this on is in a lab on a segmented subnet. All web access is via a proxy server. The only means of accessing my machine is via the internet or from within the labs MSFT AD domain.

While writing and testing my code I found a message of sorts. Upon refresing the registry to verify my code changed a dword, instead the message HELLO was written and visible in regedit where the dword value wass called for.

I took a screen shot and proceeded to edit my code. This same weird behavior occurred last time I was writing registry code except on another internal server.

I understand that remote registry access exists for windows systems. I will block this immediately once I return to the office.

What I want to know is, can I trace who made this connection? How would I do this?

I suspect the cause of this is the cause of other "odd" behaviors I'm experiencing at work such as losing control of my input director master control for over an hour and unchanged code that all of a sudden fails for no logical region.

These failures occur at funny times, whenver I'm about to give a demonstration of my test code. I know this sounds crazy however knowledge of the registry component makes this believable. Once the registry can be accessed, the entire system is compromised.

Any help or sanity checking is appreciated.

© Stack Overflow or respective owner

Related posts about security

Related posts about windows-7